Found some very strange entries in our dhcpd.leses file. All form the same mac address.
It queries for all available ips. It's will get a new lease every second. It has now done the same thing 4 times on the network. As you can see from the cat entry that is 1190 entries all linked to the same mac address, all since 9:30am this morning.

I expect our network is being scanned. For available ips.

What can I do to find out where this device is and what it is doing.

Does any body know of some venerability scanners that would do this.

Does any body know of a way to track this device.

To see traffic coming to or from that device.

A way to block that mac address on our network.

I cleaned out the lease file and restated the dhcpd server, with in 20 minutes we had another 120 entries.

Block/blacklist the MAC and see who complains? BOFH! ;)
–
HaydnWVNNov 22 '11 at 12:04

@haydnwvn I am more worried that this is some malicious activity. I would like to do more then just close the door after it has opened. I want to stop the door from being opened. superuser.com/q/360238/67952
–
nelaarNov 22 '11 at 12:11

That is a Cisco vendor id, maybe a rogue switch?
–
charlesbridgeNov 22 '11 at 12:24

2 Answers
2

To track this down, check your switches. Start with the switch the dhcp server is attached to. If you are using Cisco switches, then do

show mac-address-table | inc 6c:50:4d:0e:c8:c0

This will display the ports that the mac address has been seen on. If it is a straight switch port, then find out what is plugged into it.

If it is a trunk port, or otherwise connected to another switch, then go to that switch and repeat the process. Eventually you will find the device issuing the dhcp requests.

The rogue switch idea is a possibility. If you are using ip helper (dhcp relay) on a vlan, and the switch is incorrectly substituting its own mac address in the dhcp payload (not the ethernet header) then it would look exactly like this. However, given that you have blocked the mac in iptables, if this was the case, you would have a whole segment of your network unable to get ip addresses. You'd probably know about it by now.